POPIA SA - Protection of Personal Information Act: Republic of South Africa

Protection of Personal Information act has been signed into South African law in November 2013 and has been subsequently enforced. The proposed comprehensive information security law regulates the collection and storage of customer data by business organizations and mandates data protection measures to be taken up.

The main objective of the data protection directive has been to exercise everyone’s right to privacy as per the law, strike right balance with other mandates like right to information and control the free flow of the information.

The conditions and provisions for the lawful processing of the personal information by the business organizations have been encompassed into:

  1. Accountability: The necessary and requisite data protection controls are implemented by the data processing organization.
  2. Processing Limitation: The legitimate interests of the data subject are protected and the information is processed for legitimate purposes.
  3. Purpose specification: Personal information needs to be collected for specific, explicitly defined and lawful purpose. Data subject should be aware of the purpose.
  4. Further processing limitation: Further data processing purpose should be in line with purpose specification.
  5. Information Quality: Data processing organization to ensure that personal information is complete, accurate, updated and not misleading.
  6. Openness: The business organization to document the personal information related processes and enforce necessary data protection controls.
  7. Security Safeguards: Integrity and confidentiality of the personal information should be ensured through requisite technical and organizational controls. Notification of security compromises to the regulator authority has been mandated.
  8. Data subject participation: When required, data subject has right to enquire data processing organization, free of cost, about the personal information held by the organization. Data subject has right to ask for deletion of inaccurate, excessive, irrelevant and out of date data. This right is irrespective of adequate data protection measures by associated organization.

POPIA incorporates and is aligned to lot many provisions that have been made in European Union data protection directives. POPIA prohibits transfer of personal information outside South Africa. However exceptions can be obtained through appropriate legal bindings, contracts and data protection controls aligned to POPIA requirements. The act does not apply to the processing of personal information for journalistic, literary or artistic purposes.

POPIA hopes to bring in an appropriate change in public and private data processing organization to enact in a responsible manner for data security.  The act proposes a maximum fine of Euros 650000 in case of data breach.

POPIA is another positive step towards data security and protection of personal information.

Authored by Suhas Rautmare

Rate this article: 
Average: 1 (5 votes)
Article category: 

There are 3 Comments

Good article. Its value can be further enhanced by including the following:-
1. List of IT controls to be implemented to support POPI. This should be domain specific to be meaningful (ie controls in telekom industry, in BFS etc).
2. Registered agenciesin RSA who are authorised to audit POPI compliance.
3. Penalties due to non-compliance.
4. Since this has been brought into effect in Nov 2013, what is the time laid down for all corporatesin RSA to be compliant with POPI?
5. Are POPI standards upto and acceptable by the Eurpoean Personal Data Protection standards?
6. Is there a South African equivalent of the US Safe Harbour Act?
 

Thanks for the inputs.. Bhushan
KPMG, PWC, Novation Consulting, Michalsons are some of the recognised auditors in SA
 
 

Good informative artcile and specially point 8 is interesting. I am not sure but I guess as of now UK and EU DPA do not provide right to deletion. Also there is a fine for breach but do they have fine for not adhering to right of deletion request?